Characteristics of U2R Attacks

7.3.1.1 U2R Attack vs. Normal Data Experiment

Table 7-2 provides an overview of the U2R attack feature ranking, through which it is seen that the most critical aspect in identifying U2R attacks requires consideration of the aspects relating to content characteristics. Importantly, the most commonly featured characteristic through the applied algorithm is recognised in the content feature group—notably f10, f13, f14, f16, f17 and f18; referred to as Hot, Num-compromised, Root-shell, Num-root, Num-file-creations, and Num-shells, respectively. As can be seen when reviewing the results, individual TCP connection characteristics adopt a key part in identifying U2R attacks, as in the cases of f1, f3,

Page 95 of 146

f5, and f6, referred to as Duration, Service, Src-bytes and dst-bytes, respectively, where all of these are commonly ranked in line with the approaches relating to the feature selection approach used. As a summary, when seeking to identify U2R attacks, there is no need to take into account the aspects of the traffic, calculated through the application of a two-second time window. Owing to the fact that the ranked features are not viewed as belonging to its category, nonetheless, traffic features calculated through the application of a two-second time window, notably travelling from destination to host, need to be taken into account.

Table 7-2: Ranked features of U2R attack

7.3.1.2 U2R Sub-Minor Attacks vs. Normal Data Experiment

Through this particular investigation, there will be a summary pertaining to the characteristics recognised as needing to be taken into account when identifying sub-minor attacks (see Table 7-3). It suggested that the outcomes arrived through the application of the multi-class U2R dataset differs to that of the binary-class U2R dataset. This is predominantly as a result of various new aspects being ranked frequently, whereas some features have been completely ignored. Across U2R sub-minor attacks, it is maintained that the destination–host traffic characteristics category is insignificant in the identification of U2R sub-minor attacks. The only characteristic ranked through the applied technique is that of a dst_host_srv_count feature, f33, whereas various other characteristics need to be taken into account in comparison to the binary-class case, such as Num-failed-logins, f11, which is an ongoing aspect viewed as significant when establishing the sub-minor occurrence of U2R attacks.

Features of U2R attack

No Feature Algorithms Ranked Features NB

1. Cfs (BestFirst) fF10, f11,f13,f14,f17,f27,f33,f38 90.1%(79218) 2. Correlation f14,f33,f17,f36,f10,f18,f3 94.7%(83196) 3. GainRatio f14,f13,f17,f10,f9,f18,f11,f16 97.4%(85574) 4. InfoGain f6,f3,f5,f33,f1,f10,f14,f32 93.5%(81754) 5. OneRAttribute f6,f1,f3,f5,f14,f6,f7,f8 95.3%(83775) 6. ReliefFAttribut f3,f33,f34,f36,f31,f32 90.4%(79443) 7. SymmetricalUncert f14,f13,f10,f17,f1,f33,f3,f16 96.5(84834) 8. Average f1,f3,f5,f6,f10,f13,f14,f16,f17,f18,f32,f33,f36 93.4(82368) 9 All features f1-f41 92.7%(81447)

Page 96 of 146

Table 7-3: Ranked features of U2R sub-minor attacks

7.3.1.3 Buffer Overflow Attack vs. Normal Data Experiment

The results of this experiment are tabulated in Table 7-4. It shows that with regards to the buffer overflow attack, the categorisation of TCP connection feature plays a fundamental part in the identification. Owing to the fact that the majority of the common features ranked through the applied methods belong to this particular category—which is notably f1, f3, f5 and f6, referred to as duration, Services, Src-bytes and Dst-bytes, respectively—the unique characteristic ranked by at least one approach and is recognisable only in the case of this attack is that of Serror_rate, f25, which is seen to belong to the category feature of Traffic. This confirms that through establishing the overall percentage of links with some degree of SYN error identifiable in the same-host connection, identifying the frequency and presence of buffer overflow is possible. It can be seen that the characteristics hot (f10) and Iroot_shell (f14) are the most commonly identified aspect, which is a view supported through the application of six of the adopted approaches.

Table 7-4: Ranked features of Buffer Overflow attack

Features of U2R Sub-minor attacks

No Feature Algorithms Ranked Features NB

1. Cfs (BestFirst) f1,F10,f11,f14,f16,f17,f18,f29,f40 15.1%(12387) 2. Correlation f14,f18,f17,f33,f3 91.5%(75268) 3. GainRatio f18,f14,f17,f9,f13,f16,f11,f10 94.85(78012) 4. InfoGain f6,f5,f1,f3,f33,f17,f14 90.8%(74705) 5. OneRAttribute f6,f1,f5,f17,f16,f18,f14,f13,f10 14.9%(12261) 6. ReliefFAttribut f3,f33,f34,f32,f36,f14 89.3%(73534) 7. SymmetricalUncert f17,f14,f18,f16,f10,f13,f1 94.7%(77865) 8. Average f1,f3,f5,f6,f10,,f11,f13,f14,f16,f17,f18,f33 91.8%(75480) 9. All features f1-f41 95.5%(78579)

Features of Buffer overflow attack

No Feature Algorithms Ranked Features NB

1. Cfs (BestFirst) f10,f13,f14,f17,f32,f33 99.7%(80131) 2. Correlation f14,f17,f10,f33,f36,f25,f32,f3 99.8%(80183) 3. GainRatio f14,f13,f17,f10,f25 99.2%(79690) 4. InfoGain f6,f5,,f3,f10,f1,f14,f13,f33 95.6%(76776) 5. OneRAttribute f6,f5,f14,f1,f13,f10,f3,f17 97.8%(78579) 6. ReliefFAttribut f3,f33,f32,f36,f12 99.8%(80156) 7. SymmetricalUncert f14,f13,f10,f17,f1 99.3%(79763) 8. Average f1,f3,f5,f6,f10,f13,f14,f17,f25,f32,f33,f36 99.5%(79967) 9. All features f1-F41 99.5%(79946)

Page 97 of 146

7.3.1.4 Loadmodule Attack vs. Normal Data Experiment

As detailed in the table 7-5, when seeking to identify attacks of the type Loadnodule, the most basic aspect of the individual content group needs to be determined, with the majority of the most commonly ranked aspects within this group recognised as f10, f13, f14, f16, f17 and f18, namely Hot, Num-compromised, Root-shell, Num-root, Num-file-creations and Num-shells, respectively. One of the continuous aspects, referred to as Dst-host-srv-diff-host-rate, f37, is recognised as a characteristic individual to the identification of the loadmodule attack. This particular aspect has been graded by at least two of the different approaches applied and is concerned with the different host rate for the host destination. Nonetheless, as has been demonstrated by six of the methods, the most commonly identified characteristic is that of lnum_file_creations (f17).

Table 7-5: Ranked features of Loadmodule Attack

7.3.1.5 Perl Attack vs. Normal Data Experiment

As shown when reviewing the results of Table 7-6, it is apparent that, in the identification of the Perl attack, it would not be relevant to take into account the category of traffic features (f23-f31) owing to the observation that none of the approaches are seen to rank any features within this particular group. When examining the most valuable of characteristics—as determined through the various techniques applied—which, when positioned in the first ranking warrants consideration in relation to connection length (Duration), number of data bytes from destination to source (Dst-bytes) and whether or not the root-shell is obtained (Root- shell). The ranking of all of these features is carried out in the first instance and on more than one occasion. Owing to the fact that Duration, f1, is ranked through Correlation and SymmetricalUncert methods throughout the first instance of their rank, f6, Dst-bytes, was found to secure the highest rank through the application of both InfoGain and OneRAttribute

Features of Loadmodule Attack

No Feature Algorithms Ranked Features NB

1. Cfs (BestFirst) f14,f17,f32,f33 99.6% (80015) 2. Correlation f14,f18,f17,f37,f36,f33 95.1%/ 3. GainRatio f18,f14,f13,f17,f10,f16 99.3%(79772 4. InfoGain fF6,f3,f33,f5,f1,f32,f36,f37,f17,f10 99.4%(79870) 5. OneRAttribute f6,f1,f17,f14,f18,f37,f3,f13,f10,f5 95.55(76699) 6. ReliefFAttribut f3,f33,f32,f35,f34,f36 99.7%(80093) 7. SymmetricalUncert f14,f17,f18,f10,f13,f33,f16,f32 99.7%(80067) 8. Average f1,f3,f5,f6,f10,f13,f14,f16,f17,f18,f32,f33,f36,f37 99.5%(79907) 9. All Features f1-f41 99.3%(79762)

Page 98 of 146

algorithms. Importantly, nonetheless, the most dominant feature amongst the ranking features is determined as being Correlation and GainRatio rank, the Root-shell, f14. However, when examining the U2R attacks and their sub-minor categories, the Perl attack is viewed as being the only one not ranking the hot feature, f10, as important in line with identification. With Perl attacks unable to be identified through establishing the instances of directory access, It is imperative that that lroot_shell (f14) and lnum_shells (f18) features are taken into consideration as these are considered valuable across all methods applied.

Table 7-6: Ranked features of Perl attack

7.3.1.6 Rootkit Attack vs. Normal Data Experiment

As shown in Table 7-7, when seeking to establish the rootkit attack, the calculated traffic characteristics through the utilisation of a two-second time window is not viewed as relevant for consideration, with none of the algorithms providing it a ranking. Nonetheless, there is a need for there to be the determination of rootkit occurrence, which is achievable through the characters within the TCP connection and content group. Such aspects are seen to span f1–f9 in the group of TCP connection, whilst range f10–f22 is in relation to content. As can be seen, the individual features ranked for rootkit attack—notably by at least four of the commonly implemented methods—are an urgent feature, F9 which makes up the urgent packets, and Num-failed-logins feature, f9, which is seen to represent the number of failed login attempts. Nonetheless, six of the methods applied showed agreement in regards to the importance of the rootkit attack detection, lnum_root (f16).

Features of Perl attack

No Feature Algorithms Ranked Features NB

1. Cfs (BestFirst) f1,f14,f16,f17,f18 100% 2. Correlation f14,f18,f17,f34,f33,f3 99.99 (80313) 3. GainRatio f14,f18,f17,f16,f1,f33,f34 99.99%(80312) 4. InfoGain f6,f16,f14,f17,f18,f1,f3,f5,f34,f33 99.99%(80314) 5. OneRAttribute f6,f16,f14,f17,f18,f1,f3,f5,f40 99.99%(80313) 6. ReliefFAttribut f18,f14,f3,f34,f33,f12 99.98%(80297) 7. SymmetricalUncert f1,f14,f16,f17,f18 100% 8. Average f1,f3,f5,f6,f14,f16,f17,f18,f33,34 99.99%(80314) 9. All Features f1-f41 99.99%(80304)

Page 99 of 146

Table 7-7: Ranked features of Rootkit attack